.htaccess Magic Page 2

Allowing and Disallowing Users

How do we permit or deny access to the directory by user name? This was touched on a bit above when we used the require directive. To allow or to deny users, you must have a file that is used to hold user names and passwords. This file is not the same as that used to store account passwords (/etc/passwd). This means that you don't have to create accounts for users to provide security on Web access to a directory. The path to the file that contains the user names and passwords is defined in the AuthUserFile directive. The path name must be the full Unix pathname to the file. We could do the following if we were protecting a directory called /usr/name/inprogress/:

The first command will make a hidden directory; the second will run a program called htpasswd (the code, htpasswd.c, is provided in an NCSA HTTPd distribution). That program will create (via the -c option) the file /usr/name/inprogress/.data/.htpasswd and load the user name userid to the file. It will then prompt a password from that user, and a confirmation. That will look like:

To add additional user names and passwords, you can simply use the htpasswd program without the -c option. This process be automated and run from an interactive Web page. To do this, the CGI script will need to do two things. First, it will have to be able to open and write to the .htaccess file if the person is adding a new entry (name). Then, it will have to be able to run the htpasswd program against the correct .htpasswd file (for additions or for updates). Neither of these is impossible and can be easily performed in Tcl, Perl or even in shell language. Some of the potential problems to look out for are disallowing duplicate user names, making sure that users are aware that the password information is passed in the open and should not match any other password information that they have on-line and, most importantly, not allowing for one user to change the password of another.